From 46dbeb941c27c3c84fbcadc8f7ac345e34e9e976 Mon Sep 17 00:00:00 2001
From: Stan Ulbrych <stan@python.org>
Date: Fri, 10 Apr 2026 20:03:10 +0100
Subject: [PATCH 1/3] Add `zizmor` and `dependabot.yml`

---
 .github/dependabot.yml      | 23 +++++++++++++++++++++++
 .github/workflows/build.yml |  8 ++++++--
 .pre-commit-config.yaml     |  6 ++++++
 3 files changed, 35 insertions(+), 2 deletions(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..8a50e6c
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,23 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "quarterly"
+    labels:
+      - "skip issue"
+      - "skip news"
+    ignore:
+      - dependency-name: "*"
+        update-types:
+          - "version-update:semver-minor"
+          - "version-update:semver-patch"
+    groups:
+      actions:
+        patterns:
+          - "*"
+    cooldown:
+      # https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
+      # Cooldowns protect against supply chain attacks by avoiding the
+      # highest-risk window immediately after new releases.
+      default-days: 14
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index df1f3f4..b438269 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -25,15 +25,19 @@ jobs:
           - undefined
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           repository: google/oss-fuzz
           path: oss-fuzz
+          persist-credentials: false
 
       - name: Patch Dockerfile to use this ref
         run: |
-          sed -i "s|git clone --depth 1 --branch main https://github.com/python/library-fuzzers.git|git clone --depth 1 --branch ${{ github.head_ref }} ${{ github.event.pull_request.head.repo.clone_url }} library-fuzzers|" \
+          sed -i "s|git clone --depth 1 --branch main https://github.com/python/library-fuzzers.git|git clone --depth 1 --branch ${BRANCH} ${CLONE_URL} library-fuzzers|" \
             oss-fuzz/projects/python3-libraries/Dockerfile
+        env:
+          BRANCH: ${{ github.head_ref }}
+          CLONE_URL: ${{ github.event.pull_request.head.repo.clone_url }}
 
       - name: Build fuzzers
         run: |
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 17748f8..1a24d7c 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -19,3 +19,9 @@ repos:
         exclude: ^corp-
       - id: trailing-whitespace
         exclude: ^corp-
+
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: b546b77c44c466a54a42af5499dcc0dcc1a3193f  # frozen: v1.22.0
+    hooks:
+      - id: zizmor
+        args: [--fix=all]

From 9b63a86cd76879ce50e544b42dffa6e576d49537 Mon Sep 17 00:00:00 2001
From: Stan Ulbrych <stan@python.org>
Date: Fri, 10 Apr 2026 20:07:51 +0100
Subject: [PATCH 2/3] I saw @hugovk do this today, also ensure
 `fuzz_targets.txt` will be sorted for eternity!

---
 .pre-commit-config.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 1a24d7c..ce1e685 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -17,6 +17,8 @@ repos:
         exclude: ^corp-
       - id: end-of-file-fixer
         exclude: ^corp-
+      - id: file-contents-sorter
+        files: '^fuzz_targets.txt$'
       - id: trailing-whitespace
         exclude: ^corp-
 

From e5f2f8486f54249fb9b7b20851c0777a03a3c0d6 Mon Sep 17 00:00:00 2001
From: Stan Ulbrych <stan@python.org>
Date: Fri, 10 Apr 2026 20:08:53 +0100
Subject: [PATCH 3/3] lint `.pre-commit-config.yaml`

---
 .pre-commit-config.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index ce1e685..3d63df9 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -7,7 +7,6 @@ repos:
       - id: ruff-format
         exclude: ^corp-
 
-
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c  # frozen: v6.0.0
     hooks: